NuGet packages

How to get started with private NuGet feeds

NuGet is the package manager for .NET, both as a separate cli client as well as the integrated package manager in Visual Studio.

Bytesafe private NuGet registries allow for a single source for all NuGet packages required by your team and CI/CD pipelines. Publish and share internal NuGet packages and proxy public packages from external upstreams like NuGet Gallery.

For download instructions and how to get started with NuGet, see the official NuGet site.

Did you know you can get copy-paste ready instructions directly in Bytesafe?

Contextual according to the registry. Login to Bytesafe and select More Info for the registry of your choice.

nuget-registry-info

Configuring NuGet to access Bytesafe

To get started, add the Bytesafe private registry as a NuGet package source together with your access token.

Using Visual Studio and want to manage sources in your IDE? See Integrating with Visual Studio.

Using JetBrains Rider? It’s recommended to manage sources and credentials manually. See Integrating with JetBrains Rider.

# Add the URL, username and access token (password) to your nuget sources

$ nuget sources add -Name {REGISTRY} -Source https://{WORKSPACE}.bytesafe.dev/nuget/{REGISTRY}/index.json -Username bytesafe -Password {TOKEN}

...

# To publish packages using nuget set an apikey for the source

$ nuget setapikey {TOKEN} -Source {REGISTRY}

...

The configuration is added to your NuGet.Config file.

For Windows: %appdata%\NuGet\NuGet.Config. For Mac: either ~/.config/NuGet/NuGet.Config or ~/.nuget/NuGet/NuGet.Config. For more information, see NuGet configuration files.

Create access token

NuGet registries in Bytesafe are private and only available to users with secure access tokens.

Create an access token in Bytesafe by selecting Access tokens from the user Profile menu.

Create a secure access token in Bytesafe

Add the token to your desired configuration (replacing {TOKEN} in examples).

For security reasons the full token is only available upon creation.

Disabling nuget.org package source

By default, nuget includes nuget.org as a package source. To make sure NuGet requests are handled by Bytesafe, it’s recommended that nuget.org is disabled as a source.

Disabling nuget.org ensures dependencies are fetched from Bytesafe and prevents accidental publish of internal packages.

# Disable nuget.org as a package source

$ nuget sources disable -Name nuget.org

...

Check what sources are active for your configuration with the nuget sources list command.

# List registered source with nuget sources list

$ nuget sources list

# It's recommended that nuget.org is disabled

Registered Sources:

1. nuget.org [Disabled]

https://api.nuget.org/v3/index.json

2. bytesafe-nuget-example [Enabled]

https://{WORKSPACE}.bytesafe.dev/nuget/{REGISTRY}/index.json

NuGet configuration files

NuGet.Config files are settings that can exist at project-, user-, and computer-wide levels. Settings apply for both the nuget cli as well as for the integrated NuGet Package Manager in Visual Studio.

The location of the user level config file varies depending on OS distribution.

NuGet.Config file location
Windows: %appdata%\NuGet\NuGet.Config
Mac/Linux: ~/.config/NuGet/NuGet.Config or ~/.nuget/NuGet/NuGet.Config (varies by OS distribution)

If required users can specify a path to a config file with the -ConfigFile flag followed by path to the desired file.

<!-- Example NuGet.Config -->

</configuration>

<packageSources>

<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />

<add key="{REGISTRY}" value="https://{WORKSPACE}.bytesafe.dev/nuget/{REGISTRY}/index.json" />

</packageSources>

<packageSourceCredentials>

<{REGISTRY}>

<add key="Username" value="bytesafe" />

<add key="Password" value="{ENCODED-TOKEN}" />

</{REGISTRY}>

</packageSourceCredentials>

<apikeys>

<add key="https://{WORKSPACE}.bytesafe.dev/nuget/{REGISTRY}/index.json" value="{ENCODED-TOKEN}" />

</apikeys>

<disabledPackageSources>

<add key="nuget.org" value="true" />

</disabledPackageSources>

</configuration>

Organizations looking to deploy consistent NuGet configurations for package sources and default push source, can further look into distributing a NuGetDefaults.Config file.

For detailed information on NuGet configurations and paths, see Microsoft’s official Common NuGet configurations.

Publish / Upload NuGet packages

NuGet packages can be added to Bytesafe either using nuget push or by uploading files manually in Bytesafe.

To publish using nuget users need to configure access to the source in the applicable NuGet.Config file.

# Publish package to registry using nuget. Replace {REGISTRY} with source name

$ nuget push {PACKAGE} -Source {REGISTRY}

...

Packages are available in Bytesafe as soon as the upload is finalized.

Install NuGet dependencies

NuGet dependencies are specified as package references (<PackageReference>) in the project file (.csproj). Manage project dependencies by editing the .csproj and adding any required package references.

<!-- Example package reference in .csproj file -->

<ItemGroup>

<!-- ... -->

<PackageReference Include="Newtonsoft.Json" Version="13.0.1" />

<!-- ... -->

</ItemGroup>

Copy-paste ready and version specific instructions are available on the corresponding package version page in Bytesafe. Users can also copy package references directly from NuGet Gallery when browsing packages.

Restore project dependencies

To restore project dependencies run the nuget restore command.

# Restore package dependencies from Bytesafe

$ nuget restore -Source {REGISTRY}

With a public source, like nuget.org as an upstream for a registry, Bytesafe will proxy public dependencies and pull any required version into Bytesafe.

Users that have previously installed packages from another source, may want to run nuget locals all -clear to avoid using the local cache and make sure packages are downloaded from Bytesafe.

Install a package version

To install a specific version for your project, run nuget install.

# Install a specific package version to your project

$ nuget install {PACKAGE} -Version {VERSION} -Source {REGISTRY}

Note that nuget install does not modify the dependencies specified in the project file.

If required, copy-paste ready version specific instructions are available on any package version page in Bytesafe.

Proxy nuget.org as an upstream

Proxy public NuGet dependencies with Bytesafe by adding the public NuGet Gallery (nuget.org) as an upstream for a registry.

To add an upstream source, go to the upstreams tab for a registry and click Add upstream button.

In the sidebar, select the public registry, NuGet Gallery in the drop-down list.

add-registry-upstream

No additional information is required to pull packages from the nuget.org. Users that also want to push packages are required to provide their authentication credentials.

Actions related to enabled plugins (like vulnerability scanning and license compliance checks) are performed before package versions enter Bytesafe.

Integrating with Visual Studio

Bytesafe private NuGet registries can easily be integrated as a package source in Visual Studio.

Pre-existing NuGet.Config files will be identified by Visual Studio and used to configure package sources for NuGet Package Manager. Note that some versions of Visual Studio require private sources to be added using the nuget cli.

Refer to configuring nuget at the top of the page for more information on how to add sources using nuget.

Adding a source manually inside Visual Studio

Add the Name, URL and credentials for the registry as the source in the Visual Studio configuration. Access Package Sources in the options (Windows: NuGet Package Manager > Package Sources / Mac: NuGet > Sources).

Add private NuGet source in Visual Studio (Mac)

With the source added, packages are automatically able to be restored and updated in Visual Studio using your Bytesafe NuGet registry.

Any packages available in Bytesafe will also be available to browse and search in Visual Studio.

Integrating with Microsoft Azure

Adding a private Bytesafe NuGet feed for an Azure DevOps Pipeline

To restore or publish NuGet packages from/to a Bytesafe Registry:

  1. Set up an External NuGet Service Connection
  2. Add a custom NuGet.Config to your Azure project
  3. Customize the Pipeline step to use 1) and 2)

1. Set up an External NuGet Service Connection

Add the URL, username (bytesafe) and access token (password) to your Bytesafe workspace and name your Service Connection. Add private NuGet feed in Azure DevOps Pipeline

2. Add a custom NuGet.Config to your Azure project

<?xml version="1.0" encoding="utf-8"?>

<configuration>

<packageSources>

<clear />

<add key="bytesafe" value="https://<workspace>.bytesafe.dev/nuget/<registry>/index.json" />

</packageSources>

</configuration>

3. Customize the Pipeline step to use 1) and 2)

The following restores individual projects found in the repository (**/*.csproj) and builds it.

Make sure that the config file created in 2) matches the path referenced to in nugetConfigPath below and that nuGetServiceConnections and externalFeedCredentials matches the name of your Service Connection from 1).

steps:

- task: NuGetAuthenticate@1

displayName: 'NuGet Authenticate'

inputs:

nuGetServiceConnections: 'Bytesafe feed'

- task: NuGetCommand@2

inputs:

command: 'restore'

restoreSolution: '**/*.csproj'

feedsToUse: config

nugetConfigPath: ./azure/config/NuGet.Config

includeNuGetOrg: false

noCache: true

externalFeedCredentials: 'Bytesafe feed'

- task: MSBuild@1

inputs:

solution: '**/*.csproj'

Integrating with JetBrains Rider

Bytesafe private NuGet registries can be integrated as a package source for JetBrains Rider.

Pre-existing NuGet.Config files will be identified by JetBrains Rider and used to set package sources. Users that want to add Bytesafe as a new package source are recommended to add it directly in Rider to avoid conflicts.

Users that used nuget to add sources and credentials should make sure to restart their IDE refresh NuGet package sources to make sure settings are reloaded.

Using JetBrains Rider on Mac? Mac distributions use the ~/.nuget/NuGet/NuGet.Config location and lack support for encrypted passwords set by nuget. It’s recommended to manage sources and credentials directly in the IDE.

Adding a source manually inside JetBrains Rider

Add the Name, URL and credentials for the new feed in the NuGet Sources configuration.

Access the NuGet Tool window from the bottom Tool bar or by right-clicking any project dependency and select Manage NuGet Packages.

Add private NuGet source in JetBrains Rider

With the new source added, packages are able to be restored and updated in Rider using your Bytesafe NuGet registry.

Users that want to use Bytesafe in place of nuget.org should deselect it as an enabled source and refresh NuGet packages sources on the Packages tab.

Updated your NuGet sources for Rider? Remember to refresh NuGet package sources in Rider to avoid conflicts.

Refresh NuGet package sources in JetBrains Rider

To pull existing project dependencies into Bytesafe, users should clear local NuGet package caches and Trigger a NuGet Restore from inside Rider.

Packages available in Bytesafe will be displayed with the source name when managing packages in Rider. New packages can also be browsed and searched.